cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4514
Views
0
Helpful
8
Replies

TCP reset by appliance

mahesh18
Level 6
Level 6

Hi Everyone,

i am trying https conenction between serevr and ASA.

%ASA-6-302014: Teardown TCP connection 977425972 for inside :192.168.50.220/52438 to identity:192.168.51.1/443 duration 0:00:00 bytes 0 TCP Reset by appliance

%ASA-6-302013: Built inbound TCP connection 977425972 for inside :192.168.50.220/52438 (192.168.50.220/52438) to identity:192.168.51.1/443 (192.168.51.1/443).

These are logs from ASA

where 192.168.50.220  is server IP

192.168.51.1  is ASA  IP

Need to know if issue is at ASA  or  server side?

Regards

MAhesh

3 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Atleast the message tells us that the ASA resets the TCP connection.

Have you seen any other logs in addition to these?

Some sources suggest that there is a missmatch between the encryption the clients browser and ASA supports.

Here is a document about ASDM troubleshooting

https://supportforums.cisco.com/docs/DOC-15016

You can use the command

show run all ssl

to view what is configured on the ASA side.

- Jouni

View solution in original post

Hi,

I have never used CSM so I don't know much about how it works with the ASA.

I would imagine that there is perhaps some configuration related problem between the CSM and the ASA.

Are you getting any error messages on the CSM to hint what the problem might be?

Have you allowed the CSM source address with the command

http

I think that is required atleast.

- Jouni

View solution in original post

Hi,

I would imagine that you might need to debug the HTTP connection and possibly the AAA.

Again I have to say that I have never setup or used CSM so I have no knowledge of it and can only guess.

I would imagine that the CSM uses some username/password to log into the ASA? If so, have you confirmed that there is no typing errors on the username/password?

Naturally you can also capture the traffic on the ASA and on the server and see if that gives any hint of the problem.

- Jouni

View solution in original post

8 Replies 8

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Atleast the message tells us that the ASA resets the TCP connection.

Have you seen any other logs in addition to these?

Some sources suggest that there is a missmatch between the encryption the clients browser and ASA supports.

Here is a document about ASDM troubleshooting

https://supportforums.cisco.com/docs/DOC-15016

You can use the command

show run all ssl

to view what is configured on the ASA side.

- Jouni

Hi Jouni,

These are only logs which i see again and again when i try https connection.

Its between cisco csm server and ASA.

Other thing is that  https connection works fine between PC  and Server  which goes via same ASA.

Regards

Mahesh

Hi Jouni,

sh run all ssl  shows

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Thanks

MAhesh

Hi,

I have never used CSM so I don't know much about how it works with the ASA.

I would imagine that there is perhaps some configuration related problem between the CSM and the ASA.

Are you getting any error messages on the CSM to hint what the problem might be?

Have you allowed the CSM source address with the command

http

I think that is required atleast.

- Jouni

Hi Jouni,

How CSM  works is that we add ASA  into CSM  so then CSM  try to connects to ASA  via https.

I have already config http server ip  mask int  on ASA.

These are the messages i get on CSM  when i try to add ASA  via https

i get error https

Connectivity  Test Failed. Time Elapsed: 127 seconds. Unable to Communicate With  Device No response to connection attempt to this device Please verify  the following and then retry this operation. (1) The device "IP  address", Communication Protocol Mode and Port are correct.

(2) There is network connectivity between the CS Manager server and the device.

(3)  The device is configured to accept http/https connections. To Discover  IPS policies from IOS or IPS devices the http/https connections should  be enabled otherwise IPS policy discovery should be disabled.

(4) The device is running.

Regards

MAhesh

Hi  Jouni,

Will packet capture help to identify  why ASA  is resetting the connection?

Regards

MAhesh

Hi,

I would imagine that you might need to debug the HTTP connection and possibly the AAA.

Again I have to say that I have never setup or used CSM so I have no knowledge of it and can only guess.

I would imagine that the CSM uses some username/password to log into the ASA? If so, have you confirmed that there is no typing errors on the username/password?

Naturally you can also capture the traffic on the ASA and on the server and see if that gives any hint of the problem.

- Jouni

Hi Jouni,

Issue is fixed  from CSM  server  i need to add the IP of ASA interface where server connects but i was actually adding

the IP of ASA  hostname.

Best regards

MAhesh

Review Cisco Networking for a $25 gift card